Re: Is my system compromised

[Gene Heskett <gene.heskett@verizon.net>]

On Friday 03 February 2006 12:24, Ben Meijering wrote:
>Hi,
>
>I am kindy new to using Debian and was wondering if anyone could help
>me.
>I was looking in my /etc/rc2.d directory to see what kind of services
>were installed on my server.
>
>The contents of my rc2.d directory is as follows
>
>S10distwatchd  S20courier-authdaemon  S20nfs-kernel-server  S89cron
>S10sysklogd    S20courier-pop         S20pptpd              S89watchd
>S11klogd       S20courier-pop-ssl     S20samba              S91apache
>S14ppp         S20exim                S20ssh
>S91apache-ssl
>S15bind9       S20inetd               S21nfs-common        
> S99rmnologin S15lwresd      S20lpd                 S23killd
>S99stop-bootlogd
>S18portmap     S20makedev             S50proftpd
>S19sshd        S20mysql               S89atd
>
>I couldn't find a man page for distwatchd and just tried to run it
> which gave the following result :
>
>benspagina:/etc/rc2.d# /etc/init.d/distwatchd
>
>
>FUCK: Got signal 11 while manipulating kernel!
>
>Searching for this last sentence I found all sorts of pages talking
>about compromised servers.
>So I downloaded chkrootkit, but this said my system was clean.
>
>Is there a chance my system is compromised?

I'd have my doubts although chkrootkit is getting a bit long in the 
tooth now.  I'd druther think distwatchd might not be properly 
configured.

But being paranoid, I run chkrootkit 2x a day on my firewall box anyway.

>I hope anyone can help me.
>
>Greets,
>
>Ben

-- 
Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules.  I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.